Google's Chrome browser was designed by some brilliant minds, but on Friday it …

Google's Chrome browser on Friday fell to a zero-day attack that pierced its vaunted security sandbox, the third such attack in as many days at a contest designed to test its resistance to real-world threats.

A teenage hacker who identified himself only as PinkiePie said he spent the past week and half working on the attack. It combined three previously unknown vulnerabilities to gain full system access to a Dell Inspiron laptop that ran a fully patched version of Chrome on top of the most up-to-date version of Windows 7. He spent the past three days holed up in hotel rooms and conference areas refining the attack so it would break out of the sandbox, which was designed to prevent code-execution attacks like his, even when security bugs are identified.

"These kinds of things are finicky" PinkiePie told reporters as he finished a blueberry yogurt just minutes after making his booby-trapped website display a picture of a pink pony wielding a medieval axe. He said he "got lucky" because he found a way to break out of Google's sandbox relatively early and then spent the rest of the time identifying vulnerabilities that allowed him to remotely funnel code through the system.

PinkiePie said all three of the vulnerabilities resided in code that's native to Chrome. That meant it qualified for a $60,000 prize, the top reward for the Pwnium contest Google sponsored at the CanSecWest conference in Vancouver. Members of the Chrome security team started analyzing the exploit and vulnerability details within minutes of the hack. Less than 24 hours later, Google put a fix into its distribution pipeline.

"Congratulations to PinkiePie (aka PwniePie) for a beautiful piece of work to close out the Pwnium competition!" an advisory accompanying the update for Windows, Mac, and Linux versions of Chrome stated. Referring to an exploit unleashed on Wednesday, it continued: "We also believe that both submissions are works of art and deserve wider sharing and recognition."

Additional details will be published once other WebKit packages that might also be vulnerable are patched.

Google is offering prizes of $60,000, $40,000 and $20,000 under the competition in an attempt to learn new strategies for fortifying Chrome against attacks that expose sensitive user data or take control of user machines. PinkiePie is only the second contestant to enter the contest. Both have demonstrated attacks that allowed them to take control of Chrome users' machines when they do nothing more than browse to an attack site.

The five vulnerabilities exposed during the third and final day of the contest are miniscule compared to the overall number of bugs Chrome's security team fixes each year. A member of the team said the value of Pwnium isn't in the number of bugs that come to light, but rather in the insights that come from watching how a reliable exploit is able to slip through carefully crafted defenses.

Updated to add official comment about $60,000 prize and the release of a patch.

Where do skills like these come from? Even with all the programming I can do on any major platform, I still can't even claim to do any of this 'hacking' stuff. Not that I'm interested in hacking other people's stuff, but having the ability and knowledge to would allow me to produce more consistently secure products in my opinion.

Where do skills like these come from? Even with all the programming I can do on any major platform, I still can't even claim to do any of this 'hacking' stuff. Not that I'm interested in hacking other people's stuff, but having the ability and knowledge to would allow me to produce more consistently secure products in my opinion.

Start here. This may not work with modern software, but this is where it starts.

Where do skills like these come from? Even with all the programming I can do on any major platform, I still can't even claim to do any of this 'hacking' stuff. Not that I'm interested in hacking other people's stuff, but having the ability and knowledge to would allow me to produce more consistently secure products in my opinion.

Start here. This may not work with modern software, but this is where it starts.

But.. how would loading a webpage cause a buffer overflow or some such? it's just a web page! ok, it's not that simple I'm sure, but alas.

Where do skills like these come from? Even with all the programming I can do on any major platform, I still can't even claim to do any of this 'hacking' stuff. Not that I'm interested in hacking other people's stuff, but having the ability and knowledge to would allow me to produce more consistently secure products in my opinion.

Learn assembly programming. Get intimate with the concept of the stack. Spend the next several years of your life up to your neck in the past twenty years' worth of exploit and mitigation papers, in the debugger, in the big thick books, on the wargames, in the IRC channels.

I think Google is really smart to do this, on a number of levels- Good financials. How much would they spend paying their own people to find these vulnerablilities? And as shown in this thread, just being a programming != hacker. They would pay more than the payouts here, for sure.- Good publicity. Maybe I'm wrong on this one, but it seems that even though Chrome was hacked, the impression it leaves is that Google cares about this stuff and wants Chrome to be as secure as possible.- Good product. Chrome just gets more secure, as they fix these odd cases.

Where do skills like these come from? Even with all the programming I can do on any major platform, I still can't even claim to do any of this 'hacking' stuff. Not that I'm interested in hacking other people's stuff, but having the ability and knowledge to would allow me to produce more consistently secure products in my opinion.

Start here. This may not work with modern software, but this is where it starts.

But.. how would loading a webpage cause a buffer overflow or some such? it's just a web page! ok, it's not that simple I'm sure, but alas.

At a core level, the control flow of a program is controlled by the input it receives. In the case of a web browser, that input is the webpage it visits and the page resources it loads. If you carefully craft the page just right (or wrong), you can control the program's flow in unexpected ways and use that power to gain access to the underlying system.

The details are very complex and not my area of expertise, but that's the general idea.

here is the difference as I see it between google and apple. Google who have always known that any system is vulnerable to sustained attack work to avoid such attacks apple the company with the highest market capitalisation in the western world used to claim it was too small to have to worry about such matters. Since it was the great steve who uttered the words they became somehow company policy and probably they stole the rest of their policy from their pals in scientology. Deny Deflect claim drug use of your detractors. Do any fanboys see anywhere the words apple matched googles 1million pound prize pot for white hating their system.

Actually the two things which most impressed me were that PinkiePie is a teenager - clearly a very talented teenager - and that the vulnerabilities Glaznov exposed were patched with 24 hours. 24 hours? How the hell did they get it through QA in that time frame?

Well, I guess we shouldn't be surprised. Doing the impossible is what Pinkie Pie does. Only cartoon physics can break Chrome!

Hacking is Magic?

I'll show myself out.

I thinks someone does not get the Pinkie Pie reference.

I understand the reference (Pinkie Pie possessing the element of laughter, and therefore being the only one to be able to break the laws of physics for the purposes of comedy (although Rainbow Dash gives her a run (hur) for her money, for entirely different reasons.)) I was making a lazy pun based on the title of the show and the fact that even in the context of her own world, what she does is like magic in our own. Thus the 'I'll show myself out'.

Wow, it must have been even worse a pun than I'd thought.

On a related note, battle axes are too ordinary for Pinkie Pie. Personally I think she should have gone with her Pinkie Cannon.

Well, I guess we shouldn't be surprised. Doing the impossible is what Pinkie Pie does. Only cartoon physics can break Chrome!

Hacking is Magic?

I'll show myself out.

I thinks someone does not get the Pinkie Pie reference.

I understand the reference (Pinkie Pie possessing the element of laughter, and therefore being the only one to be able to break the laws of physics for the purposes of comedy (although Rainbow Dash gives her a run (hur) for her money, for entirely different reasons.)) I was making a lazy pun based on the title of the show and the fact that even in the context of her own world, what she does is like magic in our own. Thus the 'I'll show myself out'.

Wow, it must have been even worse a pun than I'd thought.

On a related note, battleaxes are too ordinary for Pinkie Pie. Personally I think she should have gone with her Pinkie Cannon.

The axe is part of the exploit; the Party Cannon is part of the payload.

"These kinds of things are finicky" PinkiePie told reporters as he finished a blueberry yogurt just minutes after making his booby-trapped website display a picture of a pink pony wielding a medieval axe.

Really? Was this meant to be a tongue-in-cheek, 'playing it straight' line or are Ars writers now as clueless as AP or BBC reporters?

@dadsfolk: Because we're awesome. (Seriously though, we have the best release and update system in the browser industry, and we were prepared to ship fixes quickly. I suggest watching to see how long it takes us to ship a fix for PinkiePie's exploit.)

Small single purpose changes don't take as much time to QA. If you're starting with something that has already been QAed and you change one thing, does that mean you have to QA the entire product from scratch? No. Do you have a good idea what needs double checked? Sure. And really, small changes happen during QA as a result of the QA process itself. Do they stop for every last change and QA from scratch? No, they would probably never get any where that way.

Also consider that many QA efforts are automated test suits. It can literally be made part of the build process. Throw enough CPU cores at it and it really doesn't take that long to build and run the tests.

Human nature being what it is, and having a devious mind myself, the first thing that came to mind with the idea of Google giving away $60k for discovered vulnerabilities was this: One person on the inside could "accidentally" work in some vulnerabilities while his prize-sharing pal on the outside discovers them.

dacjames wrote:

coder543 wrote:

But.. how would loading a webpage cause a buffer overflow or some such? it's just a web page! ok, it's not that simple I'm sure, but alas.

At a core level, the control flow of a program is controlled by the input it receives. In the case of a web browser, that input is the webpage it visits and the page resources it loads. If you carefully craft the page just right (or wrong), you can control the program's flow in unexpected ways and use that power to gain access to the underlying system.

The details are very complex and not my area of expertise, but that's the general idea.

I don't think this is a fair characterization. To say that "control flow of a program is controlled by the input it receives" gives the idea that there will always be some kind of input that can hack a program - that the program just can't help it, because the input "controls" it. I'd prefer it said that the input influences the flow of the program, however if the program (that is to say, the programmer/user) loses control by doing something other than what was intended by the programmer, then it hasn't fulfilled its job, and it evidences a design flaw. Just because these flaws are very numerous doesn't mean that they are inherent to programming in general. It boils down to human error. I realize it's possible, but I have yet to hear about a computer getting hacked because of a soft error, a failing hard drive, etc. (Even in the case of hardware failure, however, it is incumbent on the designer to make the system moderately fail-safe. Electronics is programming, of a sort. Instead of programming information to move around using a programming language, you're programming charges to move around using capacitors, semiconductors, etc.)

Human nature being what it is, and having a devious mind myself, the first thing that came to mind with the idea of Google giving away $60k for discovered vulnerabilities was this: One person on the inside could "accidentally" work in some vulnerabilities while his prize-sharing pal on the outside discovers them.

Something tells me Google engineers are well paid enough that this wouldn't be an issue. Of course, there is the human greed factor, which can never be underestimated, and the 'to see if I can get away with it' factor, but no. If you were a Google engineer, you would have to be stupid beyond belief to try this, no matter your skill...especially considering you'd likely end up blackballed. That $60k won't last long when you end up mowing lawns for a living, will it?

Actually the two things which most impressed me were that PinkiePie is a teenager - clearly a very talented teenager - and that the vulnerabilities Glaznov exposed were patched with 24 hours. 24 hours? How the hell did they get it through QA in that time frame?

Nearly all testing of the browser at Google is automated. Once the code has been reviewed and analyzed, it can be tested in parallel across an incredible variety of conditions in an extremely short amount of time. Remember that google has an enormous (and possibly the largest) parallel processing system in the world. They utilize that infrastructure incredibly effectively for things like building, testing, etc.

it's funny how you think "validate your input" is somehow a simple thing to do. Have you seen the specifications for all the technologies that a web browser supports? Furthermore, a web browser needs to do some very complicated things like *compile code down to native instructions*, interact with lots of native subsystems, and can generally be described as a miniature operating system withing itself. Making such a thing 100% secure is a task that no one currently knows how to accomplish.